OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-comment] STiX 2.0 Cyber-Observable Objects definition

On 07.06.2017 14:14:44, Palmer, Cliff A. (NE) wrote:
> The STIX Version 2.0, Part 4: Cyber Observable Objects document
> mentions that the cyber-observable objects included in STIX 2.0
> "represent a minimally viable product".
> The latest schema I have seen specifies 18 cyber-observable objects.
> Prior CyboX versions had specifications for something in the
> neighborhood of 90 CyboX objects.
> Is there a roadmap which identifies the future STIX version which
> will contain the specification for each of the remaining
> cyber-observable objects?

Hi, Cliff -

While the CybOX 2.1 data model included about 90 objects, in practice
most of these weren't used. As we began the effort of refactoring
CybOX 3.0 (since incorporated into STIX 2.0 as STIX Cyber
Observables), we decided that the most prudent course of action would
be to focus our efforts on the CybOX objects people were actually

We wanted to take this decision based on real-world data. Trouble was,
the vast majority of this data was locked up inside various private
information-sharing communities (e.g., ISACs and ISAOs). So we created
an open-source tool called cti-stats [1] which these private sharing
communities could run against their data and get sanitized statistical
output. We took great care in this effort, being sensitive to the need
to safeguard the confidentiality of participants.

This dataset was then aggregated. The results are available here [2].

If you look at that data, you'll see that the vast majority of the
CybOX 2.1 objects weren't in use. One can speculate as to whether this
was due to a) some of the objects being overly complicated and hence
difficult to use, b) a reflection of the overall maturity of current
information-sharing practices, or c) a combination of the two.

Regardless, it was clear that we should focus our initial efforts on
refactoring the objects in actual use.

As we iterate towards the STIX 2.1 release, the CTI TC STIX Cyber
Observables subcommittee is working to expand the data model. Our
roadmap is still evolving but the CTI TC cover page [3] documents the
current state.

Whether we wind up replicating all of the 90+ objects that were in the
CybOX 2.1 data model is an open question. Our efforts are focused on
what the CTI TC community needs and which people are willing to
contribute time and effort towards developing. This is, after all,
primarily a volunteer-driven community effort.

If there are particular CybOX 2.1 constructs which you need or want
that are currently missing from STIX 2.0, we invite you to join the
OASIS CTI TC and help us to flesh those out. Please don't hesitate to
reach out to me privately if you have questions about how to engage
with our standards process.

[1]: https://github.com/Soltra/cti-stats
[2]: https://cyboxproject.github.io/cti-stats/
[3]: https://docs.google.com/document/d/1yvqWaPPnPW-2NiVCLqzRszcx91ffMowfT5MmE9Nsy_w/edit#heading=h.rnemfnrew1l4

Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4  5B9B B30D DD6E 62C8 6C1D
"Every old idea will be proposed again with a different name and a
different presentation, regardless of whether it works." --RFC 1925

Attachment: signature.asc
Description: Digital signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]